]]>http://blogs.msmvps.com/spywaresucks/2016/11/23/do-you-have-an-ask-toolbar-installed-beware/feed/0New security steps for linked Skype and Microsoft accountshttp://blogs.msmvps.com/spywaresucks/2016/11/23/new-security-steps-for-linked-skype-and-microsoft-accounts/
http://blogs.msmvps.com/spywaresucks/2016/11/23/new-security-steps-for-linked-skype-and-microsoft-accounts/#respondWed, 23 Nov 2016 08:25:30 +0000http://blogs.msmvps.com/spywaresucks/?p=2415I received a spam message via Skype today from a person who I normally think of as too sophisticated to do something silly like re-use passwords. And heard of another person who had also been compromised, but had absolutely no idea how it may have happened.

I learned as part of my research into what may have been the source of the compromises that if you have previously linked your Skype and Microsoft accounts, and have enabled two factor authentication for the Microsoft account, bad guys can still get access to your Skype if they have your old Skype username and password, because that log in path is not protected by the 2FA for Microsoft accounts.

There is a fix however – “merging” the two accounts, which is not the same as “linking” – details are here:

You’ll end up with just the one password for both your Skype and Microsoft accounts – the Microsoft account password – and apparently you will now be protected by the 2FA even when you use your old Skype username to log in.

]]>http://blogs.msmvps.com/spywaresucks/2016/11/16/kryptowire-discovers-mobile-phone-firmware-that-transmitted-personally-identifiable-information-without-user-consent-or-disclosure/feed/0Microsoft’s new Security Updates Guidehttp://blogs.msmvps.com/spywaresucks/2016/11/09/2408/
http://blogs.msmvps.com/spywaresucks/2016/11/09/2408/#respondWed, 09 Nov 2016 09:29:56 +0000http://blogs.msmvps.com/spywaresucks/?p=2408Microsoft have released a preview of their new single destination for security vulnerability information, the Security Updates Guide. Instead of publishing bulletins to describe related vulnerabilities, the new portal lets you view and search security vulnerability information in a single online database.

Microsoft will continue to publish bulletins while also adding information to the new Guide until January 2017. After that, information will only be published to the Guide.

]]>http://blogs.msmvps.com/spywaresucks/2016/11/09/2408/feed/0Google Chrome extensions sold and adware/tracking behavior added without noticehttp://blogs.msmvps.com/spywaresucks/2016/11/08/google-chrome-extensions-sold-and-adwaretracking-behavior-added-without-notice/
http://blogs.msmvps.com/spywaresucks/2016/11/08/google-chrome-extensions-sold-and-adwaretracking-behavior-added-without-notice/#respondTue, 08 Nov 2016 02:27:09 +0000http://blogs.msmvps.com/spywaresucks/?p=2406This morning I have read about four extensions, all of which have now been removed from the Chrome Store and which should have been automatically disabled if installed to Chrome: “Live HTTP Headers”, “Tab Manager”, “Appspector” and “Give Me CRX”.

The common thread is the extensions started injecting code into webpages pointing to “s3.eu-central-1.amazonaws.com/forton/*****.js”. The goal seems to have been to inject advertising into web pages visited.

This is not the first time Chrome extensions have been sold and new advertising / tracking behavior added by the new owner without warning. Yes, the Chrome extensions prompt for updated permission to run when the behavior was changed, but it is not clear to the average user what the implications of those new permissions are. For example, a prompt that says an application will “read and change all your data on the websites you visit” or “access your data on all websites” does not make it clear that it is also going to transmit that data to somewhere else, or inject advertising.

The new owners were seemingly able to update those apps, and get them installed onto users computers, without Google identifying and stopping the new behaviors in time – new behaviors that were apparently judged bad enough for the apps to be removed from the Chrome Web Store.

From the German site (apologies for the translation errors): “In the background, however, the extension also logs and transmits the data for the surfing behavior of the user to a server abroad. A profile is created where the date, time, location, and controlled web address are stored together with a user ID.”

Further: “These data then go to intermediaries. From one of these intermediaries, Panorama and ZAPP got their record.” It is unclear to me whether the ‘data’ that is shared with ‘intermediaries’ includes that user ID.

And: “Reporters from the NDR have been able to personally identify more than 50 users, for example via e-mail addresses in which the name is located, logins, or other components of the called URLs.”

And: “To reach the information, the NDR Reporters have founded a dummy company, which is supposedly active in the “big data” business. Several companies were ready to sell the web data of German Internet users – a company offered the data now evaluated as a free sample. Data packages like this offer countless companies.”

According to pogowasright, WOT have stated that “We take our users’ privacy rights very seriously, and for that reason we go to great lengths to anonymize and aggregate the data we collect to run our service, and we of course never license or disclose user registration information.”

This is a timely reminder that if you collect and share information about web sites visited, you need to be cautious about the inadvertent collection and sharing of PII that may be embedded in a URL.

It’s also a timely reminder that a unique ID may not actually be anonymous. All depends on what that unique ID can potentially be combined with.

]]>http://blogs.msmvps.com/spywaresucks/2016/11/07/web-of-trust-wot-scandal/feed/1Fix for when Windows 7 is stuck at “checking for updates”http://blogs.msmvps.com/spywaresucks/2016/09/26/fix-for-when-windows-7-is-stuck-at-checking-for-updates/
Mon, 26 Sep 2016 06:24:17 +0000http://blogs.msmvps.com/spywaresucks/?p=2399It works a treat:

]]>Australian Bureau of Statistics waves a big red flag at a bull (aka hackers)http://blogs.msmvps.com/spywaresucks/2016/08/03/australian-bureau-of-statistics-waves-a-big-red-flag-at-a-bull-aka-hackers/
Wed, 03 Aug 2016 10:18:50 +0000http://blogs.msmvps.com/spywaresucks/?p=2396The 5 yearly Australian Census is collecting the names and addresses of all Australians (nothing unusual there), matching that information to myriad questions in the Census (again, nothing unusual). However, they are now retaining names and addresses to enable the Census to be linked to other national data for up to four years, instead of just 18 months. AND, whilst previously Australians were allowed to opt-in to having personally identifiable information retained, as of this year, they have no choice.

And, they’re collecting the information online for the first time.

And I’m listening to Senator McCormack on TV right now saying, paraphrased, ‘ABS say they’ve never been hacked and they promise me they won’t be hacked.’

Yes. Really. What a promise to make. Nobody can make such a promise. N.O.B.O.D.Y.

At the same time, BM’s Worldwide Security Solution Architect has stated that Australia’s sensitive census data will be “inevitably” hacked.

Not surprisingly, there is much fear and angst out there, with threats to boycott, people planning to put fake names into their Census answers, and some saying they will order a paper form which they will fill in using a special no-copy blue pen. There is also commentary that Census legislation doesn’t actually allow for the compulsory collection of names and addresses, because the legislation consistently refers to “statistical information”.

And nothing has been said about protected persons such as people whose names have been removed from the electoral role for security and safety reasons – for example, police or other people whose safety is at real risk for various reasons.